Diff
Modified: branches/safari-606-branch/JSTests/ChangeLog (236217 => 236218)
--- branches/safari-606-branch/JSTests/ChangeLog 2018-09-19 20:08:51 UTC (rev 236217)
+++ branches/safari-606-branch/JSTests/ChangeLog 2018-09-19 20:54:04 UTC (rev 236218)
@@ -1,3 +1,47 @@
+2018-09-19 Kocsen Chung <[email protected]>
+
+ Cherry-pick r235356. rdar://problem/44613253
+
+ [JSC] Array.prototype.reverse modifies JSImmutableButterfly
+ https://bugs.webkit.org/show_bug.cgi?id=188794
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/reverse-with-immutable-butterfly.js: Added.
+ (shouldBe):
+ (reverseInt):
+ (reverseDouble):
+ (reverseContiguous):
+
+ Source/_javascript_Core:
+
+ While Array.prototype.reverse modifies the butterfly of the given Array,
+ it does not account JSImmutableButterfly case. So it accidentally modifies
+ the content of JSImmutableButterfly.
+ This patch converts CoW arrays to writable arrays before reversing.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncReverse):
+ * runtime/JSObject.h:
+ (JSC::JSObject::ensureWritable):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235356 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-08-24 Yusuke Suzuki <[email protected]>
+
+ [JSC] Array.prototype.reverse modifies JSImmutableButterfly
+ https://bugs.webkit.org/show_bug.cgi?id=188794
+
+ Reviewed by Saam Barati.
+
+ * stress/reverse-with-immutable-butterfly.js: Added.
+ (shouldBe):
+ (reverseInt):
+ (reverseDouble):
+ (reverseContiguous):
+
2018-09-06 Mark Lam <[email protected]>
Cherry-pick r235254, r235419, r235666. rdar://problem/44169332
Added: branches/safari-606-branch/JSTests/stress/reverse-with-immutable-butterfly.js (0 => 236218)
--- branches/safari-606-branch/JSTests/stress/reverse-with-immutable-butterfly.js (rev 0)
+++ branches/safari-606-branch/JSTests/stress/reverse-with-immutable-butterfly.js 2018-09-19 20:54:04 UTC (rev 236218)
@@ -0,0 +1,28 @@
+function shouldBe(actual, expected) {
+ if (actual !== expected)
+ throw new Error('bad value: ' + actual);
+}
+
+function reverseInt()
+{
+ var array = [0, 1, 2, 3];
+ return array.reverse();
+}
+
+function reverseDouble()
+{
+ var array = [0.0, 1.1, 2.2, 3.3];
+ return array.reverse();
+}
+
+function reverseContiguous()
+{
+ var array = [0.0, 1.1, 2.2, 'hello'];
+ return array.reverse();
+}
+
+for (var i = 0; i < 1e4; ++i) {
+ shouldBe(JSON.stringify(reverseInt()), `[3,2,1,0]`);
+ shouldBe(JSON.stringify(reverseDouble()), `[3.3,2.2,1.1,0]`);
+ shouldBe(JSON.stringify(reverseContiguous()), `["hello",2.2,1.1,0]`);
+}
Modified: branches/safari-606-branch/Source/_javascript_Core/ChangeLog (236217 => 236218)
--- branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-09-19 20:08:51 UTC (rev 236217)
+++ branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-09-19 20:54:04 UTC (rev 236218)
@@ -1,3 +1,51 @@
+2018-09-19 Kocsen Chung <[email protected]>
+
+ Cherry-pick r235356. rdar://problem/44613253
+
+ [JSC] Array.prototype.reverse modifies JSImmutableButterfly
+ https://bugs.webkit.org/show_bug.cgi?id=188794
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/reverse-with-immutable-butterfly.js: Added.
+ (shouldBe):
+ (reverseInt):
+ (reverseDouble):
+ (reverseContiguous):
+
+ Source/_javascript_Core:
+
+ While Array.prototype.reverse modifies the butterfly of the given Array,
+ it does not account JSImmutableButterfly case. So it accidentally modifies
+ the content of JSImmutableButterfly.
+ This patch converts CoW arrays to writable arrays before reversing.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncReverse):
+ * runtime/JSObject.h:
+ (JSC::JSObject::ensureWritable):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235356 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-08-24 Yusuke Suzuki <[email protected]>
+
+ [JSC] Array.prototype.reverse modifies JSImmutableButterfly
+ https://bugs.webkit.org/show_bug.cgi?id=188794
+
+ Reviewed by Saam Barati.
+
+ While Array.prototype.reverse modifies the butterfly of the given Array,
+ it does not account JSImmutableButterfly case. So it accidentally modifies
+ the content of JSImmutableButterfly.
+ This patch converts CoW arrays to writable arrays before reversing.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncReverse):
+ * runtime/JSObject.h:
+ (JSC::JSObject::ensureWritable):
+
2018-09-06 Babak Shafiei <[email protected]>
Cherry-pick r235251. rdar://problem/44209840
Modified: branches/safari-606-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp (236217 => 236218)
--- branches/safari-606-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2018-09-19 20:08:51 UTC (rev 236217)
+++ branches/safari-606-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2018-09-19 20:54:04 UTC (rev 236218)
@@ -855,6 +855,8 @@
unsigned length = toLength(exec, thisObject);
RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ thisObject->ensureWritable(vm);
+
switch (thisObject->indexingType()) {
case ALL_CONTIGUOUS_INDEXING_TYPES:
case ALL_INT32_INDEXING_TYPES: {
Modified: branches/safari-606-branch/Source/_javascript_Core/runtime/JSArray.cpp (236217 => 236218)
--- branches/safari-606-branch/Source/_javascript_Core/runtime/JSArray.cpp 2018-09-19 20:08:51 UTC (rev 236217)
+++ branches/safari-606-branch/Source/_javascript_Core/runtime/JSArray.cpp 2018-09-19 20:54:04 UTC (rev 236218)
@@ -287,8 +287,7 @@
return ordinarySetSlow(exec, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode());
}
- if (isCopyOnWrite(thisObject->indexingMode()))
- thisObject->convertFromCopyOnWrite(vm);
+ thisObject->ensureWritable(vm);
if (propertyName == vm.propertyNames->length) {
if (!thisObject->isLengthWritable())
@@ -662,8 +661,7 @@
VM& vm = exec->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
- if (isCopyOnWrite(indexingMode()))
- convertFromCopyOnWrite(vm);
+ ensureWritable(vm);
Butterfly* butterfly = this->butterfly();
@@ -770,14 +768,11 @@
JSArray* JSArray::fastSlice(ExecState& exec, unsigned startIndex, unsigned count)
{
VM& vm = exec.vm();
+
+ ensureWritable(vm);
+
auto arrayType = indexingMode();
switch (arrayType) {
- case CopyOnWriteArrayWithInt32:
- case CopyOnWriteArrayWithDouble:
- case CopyOnWriteArrayWithContiguous:
- convertFromCopyOnWrite(vm);
- arrayType = indexingMode();
- FALLTHROUGH;
case ArrayWithDouble:
case ArrayWithInt32:
case ArrayWithContiguous: {
@@ -922,8 +917,7 @@
VM& vm = exec->vm();
RELEASE_ASSERT(count > 0);
- if (isCopyOnWrite(indexingMode()))
- convertFromCopyOnWrite(vm);
+ ensureWritable(vm);
Butterfly* butterfly = this->butterfly();
@@ -1081,8 +1075,7 @@
VM& vm = exec->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
- if (isCopyOnWrite(indexingMode()))
- convertFromCopyOnWrite(vm);
+ ensureWritable(vm);
Butterfly* butterfly = this->butterfly();
Modified: branches/safari-606-branch/Source/_javascript_Core/runtime/JSArrayInlines.h (236217 => 236218)
--- branches/safari-606-branch/Source/_javascript_Core/runtime/JSArrayInlines.h 2018-09-19 20:08:51 UTC (rev 236217)
+++ branches/safari-606-branch/Source/_javascript_Core/runtime/JSArrayInlines.h 2018-09-19 20:54:04 UTC (rev 236218)
@@ -88,7 +88,8 @@
VM& vm = exec->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
-reloop:
+ ensureWritable(vm);
+
Butterfly* butterfly = this->butterfly();
switch (indexingMode()) {
@@ -228,12 +229,9 @@
return;
}
- default: {
- RELEASE_ASSERT(isCopyOnWrite(indexingMode()));
- convertFromCopyOnWrite(vm);
- goto reloop;
+ default:
+ RELEASE_ASSERT_NOT_REACHED();
}
- }
}
} // namespace JSC
Modified: branches/safari-606-branch/Source/_javascript_Core/runtime/JSObject.cpp (236217 => 236218)
--- branches/safari-606-branch/Source/_javascript_Core/runtime/JSObject.cpp 2018-09-19 20:08:51 UTC (rev 236217)
+++ branches/safari-606-branch/Source/_javascript_Core/runtime/JSObject.cpp 2018-09-19 20:54:04 UTC (rev 236218)
@@ -838,8 +838,7 @@
return thisObject->methodTable(vm)->put(thisObject, exec, Identifier::from(exec, propertyName), value, slot);
}
- if (isCopyOnWrite(thisObject->indexingMode()))
- thisObject->convertFromCopyOnWrite(vm);
+ thisObject->ensureWritable(vm);
switch (thisObject->indexingType()) {
case ALL_BLANK_INDEXING_TYPES:
@@ -1598,9 +1597,8 @@
if (structure(vm)->hijacksIndexingHeader())
return nullptr;
- if (isCopyOnWrite(indexingMode()))
- convertFromCopyOnWrite(vm);
-
+ ensureWritable(vm);
+
switch (indexingType()) {
case ALL_BLANK_INDEXING_TYPES:
if (UNLIKELY(indexingShouldBeSparse(vm)))
@@ -1635,8 +1633,7 @@
ArrayStorage* JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode(VM& vm)
{
- if (isCopyOnWrite(indexingMode()))
- convertFromCopyOnWrite(vm);
+ ensureWritable(vm);
switch (indexingType()) {
case ALL_BLANK_INDEXING_TYPES: {
@@ -1669,8 +1666,7 @@
void JSObject::switchToSlowPutArrayStorage(VM& vm)
{
- if (isCopyOnWrite(indexingMode()))
- convertFromCopyOnWrite(vm);
+ ensureWritable(vm);
switch (indexingType()) {
case ArrayClass:
@@ -2507,8 +2503,7 @@
ASSERT(index <= MAX_ARRAY_INDEX);
- if (isCopyOnWrite(indexingMode()))
- convertFromCopyOnWrite(vm);
+ ensureWritable(vm);
if (!inSparseIndexingMode()) {
// Fast case: we're putting a regular property to a regular array
Modified: branches/safari-606-branch/Source/_javascript_Core/runtime/JSObject.h (236217 => 236218)
--- branches/safari-606-branch/Source/_javascript_Core/runtime/JSObject.h 2018-09-19 20:08:51 UTC (rev 236217)
+++ branches/safari-606-branch/Source/_javascript_Core/runtime/JSObject.h 2018-09-19 20:54:04 UTC (rev 236218)
@@ -865,6 +865,12 @@
return ensureArrayStorageSlow(vm);
}
+
+ void ensureWritable(VM& vm)
+ {
+ if (isCopyOnWrite(indexingMode()))
+ convertFromCopyOnWrite(vm);
+ }
static size_t offsetOfInlineStorage();
